MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd5a7b200d38d962d9dc74639994bb1ecf989ecc189a5c2d06bc5196120f4ea5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd5a7b200d38d962d9dc74639994bb1ecf989ecc189a5c2d06bc5196120f4ea5
SHA3-384 hash: a988c2aac04e30c3fe6241e6e4bcfcaee216b755d7143a3574d5e04aef8ea740a4e0a74c40d8e3db10fd326224ec8a55
SHA1 hash: 3b04c5b9c97d26239290f2624271272b8e9bf7a6
MD5 hash: df8e2e45f743b9de274b36cceb0152f2
humanhash: king-robert-winner-minnesota
File name:DIL-Statement Overdues & Listed Invoice-August 2020.exe
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:531'048 bytes
First seen:2020-09-02 13:24:25 UTC
Last seen:2020-09-02 13:27:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5eeb48c75e8c738c0fda2c5e3d3a528a (1 x AveMariaRAT)
ssdeep 6144:XkZrO6hOi6VV/JafLCkcVsrnWn1oFou3Ri9wrP2C6bH940DvlKxgT2CRyJeyLxJJ:UZq6hWxaf2klQEiyTF6RRvag2Ck/HQJO
Threatray 425 similar samples on MalwareBazaar
TLSH D3B46C23B6B14837D1635E78DD5B976C9D26FE503E2898862BF41C4CAF39781382B187
Reporter James_inthe_box
Tags:AveMariaRAT exe

Code Signing Certificate

Organisation:Symantec Time Stamping Services CA - G2
Issuer:Thawte Timestamping CA
Algorithm:sha1WithRSAEncryption
Valid from:Dec 21 00:00:00 2012 GMT
Valid to:Dec 30 23:59:59 2020 GMT
Serial number: 7E93EBFB7CC64E59EA4B9A77D406FC3B
Intelligence: 85 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0625FEE1A80D7B897A9712249C2F55FF391D6661DBD8B87F9BE6F252D88CED95
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
PUA.Win.Trojan.Generic-6629273-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Launching a process
Creating a file
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/457502
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Detected unpacking (creates a PE file in dynamic memory)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 281138 Sample: DIL-Statement Overdues & Li... Startdate: 02/09/2020 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected AveMaria stealer 2->47 49 8 other signatures 2->49 8 Evhhnet.exe 2->8         started        12 DIL-Statement Overdues & Listed Invoice-August 2020.exe 1 2 2->12         started        15 Evhhnet.exe 2->15         started        process3 dnsIp4 57 Multi AV Scanner detection for dropped file 8->57 59 Detected unpacking (creates a PE file in dynamic memory) 8->59 61 Machine Learning detection for dropped file 8->61 69 4 other signatures 8->69 17 ieinstal.exe 1 8->17         started        39 cdn.discordapp.com 162.159.134.233, 443, 49722, 49736 CLOUDFLARENETUS United States 12->39 35 C:\Users\user\AppData\Localvhhnet.exe, PE32 12->35 dropped 63 Writes to foreign memory regions 12->63 65 Allocates memory in foreign processes 12->65 67 Creates a thread in another existing process (thread injection) 12->67 19 ieinstal.exe 3 2 12->19         started        23 notepad.exe 4 12->23         started        41 162.159.130.233, 443, 49740 CLOUDFLARENETUS United States 15->41 25 ieinstal.exe 15->25         started        file5 signatures6 process7 dnsIp8 37 tuwise.ddns.net 84.38.135.151, 3670, 49734 DATACLUBLV Latvia 19->37 51 Tries to steal Mail credentials (via file access) 19->51 53 Increases the number of concurrent connection per server for Internet Explorer 19->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->55 27 cmd.exe 1 23->27         started        29 cmd.exe 1 23->29         started        signatures9 process10 process11 31 conhost.exe 27->31         started        33 conhost.exe 29->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd5a7b200d38d962d9dc74639994bb1ecf989ecc189a5c2d06bc5196120f4ea5/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-09-02 05:05:45 UTC
File Type:
PE (Exe)
Extracted files:
68
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7vnhwianhdmwfwo4orrztff3d3hzrhwmdcnfyligxrizmeqpj2sq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
07c550d81a89943f6d836816d7ab56678cecba4450ec4de144e53e913302b1a9
AveMariaRAT
4fa4af45c70295513c486589c0e36e7436be6abbf3c75e97b544db959e9dfcb5
AveMariaRAT
51966d322a39d2b7c08c85a58e19b558ab678862385be75ab90e69b84fde583f
AveMariaRAT
57f4246d683336ab606ba5831ce88a0ff47a42de652f72795fe76169195821e1
AveMariaRAT
60d7b2ab0fb53d37576c2edd50231cc82e87d0c0cee85afddac247cb795164c3
AveMariaRAT
7ff8f569a151047f25f2f858e562e4b5b54d9af822105780f6c8a91ec4740124
AveMariaRAT
90d5792fd0a2ab859f120bef8f12a28c8f7e4119a43054c22db57e76c7b386a0
AveMariaRAT
9d71c01a2e63e041ca58886eba792d3fc0c0064198d225f2f0e2e70c6222365c
AveMariaRAT
b2ebc0f8c302a04961b8c2ed0673384050e5932a370be062788b7630bf188123
AveMariaRAT
b44646b530b067dadca8a6b31582efa9b9738c068a209af3b1bb4d403bd574fc
AveMariaRAT
+ 415 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200902-3bhdsaw8ee/
Behaviour
Modifies registry key
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
JavaScript code in executable
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd5a7b200d38d962d9dc74639994bb1ecf989ecc189a5c2d06bc5196120f4ea5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/54353/

Comments